The Inevitable Collapse of the Certificate Model

2010-10-22

Many had high expectations from the SSL/TLS certificate model. At least on paper it sounded promising and worthwhile. Keys are used to protect traffic; for this to be effective, keys shall be bound to business entities; for the binding to be trustworthy by the public, binding will be signed by Certification Authorities (CAs), which the public will recognize as authoritative. Once the trusted CA signs the binding between a business entity (represented by a domain name) and a key — every user can tell he is communicating securely with the correct entity.

In practice, it got all messed up. It is difficult to form authorization hierarchies on the global Internet, this is one thing. However, the model failed also due to the economics behind it.

Once the CA gets the money from the certificate applicant, the less effort it spends on the issuance process, the higher profit it makes. Sophisticated scrutiny of the entity seeking certification costs money, and as scrutiny can also lead to rejection — it leads to fewer customers as well. Giving away certificates after milder checks makes better margins, and brings more business.

If the damage of lax certification practices was borne by the customers buying the certificates, then we could expect free economy to correct the situation by having such CAs lose customers for CAs with more stringent certification practices. Unfortunately, this is not the case. The damage caused by lax certification practices is borne by the public, not by the certificate buyers. We suffer from nation- and corporate-caused MITM attacks, phishing and impersonation on the net, caused by offenders getting certificates under others' identities.

This situation is what is referred to in economics as an externality. The cost of practice falls not on the practicing entity but on others, who have no way to pass on the cost back to the practicing entity. This is where the regulator typically kicks in, but in the certification case it has not happened yet, and many factors may prevent it from happening (such as the certification system being global, and such as the regulator being untrusted.)

For the sake of accuracy, the impact of bad certification practices is not a complete externality, because once the certification system collapses, due to lack of users confidence, all CAs will lose their business. However, this damage is distant and results from the behavior of the CA community as a whole, whereas the monetary gains from poor certification practices is tangible, direct and immediate. This situation could have been better if there was one CA, but there are many.

We now face a closed loop of continuous deterioration in the trustworthiness of certificates. Occasionally, a CA takes one small shortcut to keep an edge over its competition, practically setting a new, lower, standard. The other CAs, who will all lose from the impact of the shortcut taken by their peer (in terms of reduced public confidence) anyway, just follow suit to compete.

We already reached a situation in which it is a common practice not to trust CA certificates as blindly as before. Repeated stories on CAs signing the wrong bindings, opening their relying parties to fraud and eavesdropping, all make the reliance on certificates alone considered almost as misconduct.

To overcome diminishing user confidence, CAs invented the EV (“Extended Validation”) certificates: certificates that are “stronger” by that they follow more rigorous verification of the key owner's identity. Essentially, the CAs promise us in EV certificates what we were promised just a decade ago with regular certificates, and never got.

There is no reason to believe that EV certificates will end up any better than the usual certificates. Nothing in the system is fundamentally different architecture-wise. It only buys CAs time, and gives them a second chance. It is certainly possible that in a short while one CA will figure that issuing EV certificates with just a little less validation is cheaper, other CAs will follow, etc.

It is possible that the system is just broken by design. As long as users cannot unite to effectively bind CAs by strict rules of conduct, and as long as the legal system and economy allow CAs to sell such a service with zero liability, there is no reason to believe that the situation will improve miraculously.

After giving it some thought, I will share my view on what can replace the certificate model.

1 comment

Google built a trust model for documents on Internet through PageRank algorithm for effective keyword/phrase search. Can this crowd sourcing model of trust building be somehow be applied to certificate trust building.